PHP Dependency Management with Composer

This post is now out of date. A new, more comprehensive version can be found here.

In this article I will introduce you to another great project, Composer. Maybe you’ve experienced the pain of working on a PHP application which uses third-party libraries and then trying to keep them and their dependencies up to date. If so, Composer can soothe your pain.

Composer gets you the libraries you want at the versions you need. And if those libraries use other libraries, it can install those and manage them as well. Dependency management can be a hassle-free experience using Composer.

Installing Composer

Composer is bundled as an executable Phar archive, so make sure you have the Phar extension enabled in your php.ini file (uncomment

I recommend download the latest snapshot of the Composer executable directly from the project’s website.

Alternatively, there is an installer script that you can run. If you’re comfortable with the issues surrounding such installers, you can cut and paste the following taken from the Composer website:

curl -s | php

To make Composer globally accessible on your system, move the resulting composer.phar file to a suitable location, like so:

sudo mv composer.phar /usr/local/bin/composer

Using Composer

If you’ve done any Ruby or Node.js programming then Composer may seem a bit familiar to you. The dependency manager was inspired by Bundler and npm. You first create a composer.json file that lists all of your project’s dependencies, and then with a simple command you can fetch or maintain them.

To add a library to your project, create a file named composer.json with content that resembles this example:

    "require": { 
        "illuminate/foundation": "1.0.*"
    "minimum-stability": "dev"

The require key lists the project’s dependencies. The dependency in this example is Illuminate (version 4 of the Laravel framework). Of course Illuminate depends on a whole lot of other packages, and Composer will install these too.

Following the package name you see the required version number. I’ve specified the application can use any minor update in the 1.0 branch. You can also specify specific versions or versions within a given range. You can find more information on package versions on the Composer website.

The minimum-stability key is present because not all of Illuminate’s dependencies are stable yet. If omitted, the rule’s default value is “stable” and the install would fail.

Now to actually install Illuminate, run the following in your project’s directory:

php composer.phar install

Composer creates the folder named vendors and downloads the dependencies into it. As a convenience, Composer also creates a PSR-0 autoloader for you to pull the libraries into your code; simple require vendors/autoload.php in your code to use them.

require_once "vendors/autoload.php";
// your code here

All of Composer’s data on installed libraries in the file composer.lock. Composer tracks versions of libraries are currently installed and what their VCS URL is. It’s like a registry with all information about the local libraries in it. When installing/updating libraries, Composer also updates this file.

You can then keep the packages up-to-date by running composer.phar update.

Packaging Your Own Code

You might be thinking, how does Composer know where to download the code just by the name “illuminate/foundation”? Composer has an official repository named Packagist that it connects to. You can search there to see what libraries are available for management through Composer. You can even create your own packages and submit them to Packagist making them available to others.

Creating your own libraries is quite simple since your project can be viewed as a library with it’s dependencies already listed in composer.json. In fact, the documentation says: “the only difference between your project and libraries is that your project is a package without a name.”

In order to package your code for others to use, you need to define some additional keys:

    "name": "AlexCogn/Illumination",
    "version" : "1.0.0",
    "require": { 
        "illuminate/foundation": "1.0.*"
    "minimum-stability": "dev"

If you have your project on GitHub, it is recommended to use your account name in the project’s namespace. If you are indeed using GitHub, Packagist can fetch the version numbers from there so you don’t really have to define it explicitly as I did above.

Now you can publish the VCS link of your project to Packagist. Pagckagist makes this really easy; either register a new account or log in with GitHub and then click the giant Submit Package button. Provide the repository’s URL and Packagist will crawl it.

In Closing

Today you might have been introduced to another great project you didn’t know about. Or, maybe you’ve heard about Composer but haven’t had time to check it out. In either case, I hope you learned something today: Composer can be very useful in automating the management of your project’s dependencies.

Make sure you also check out the official Composer documentation for updates and techniques I couldn’t discuss in this article.

See you next time!